The maintainer jackton1's response to this is extremely shady. He tries to prove his innocence by showing that renovate bot changed the author of the malicious commit but I'm betting he's behind the whole thing.
Dependabot has never recommended a SHA hash for a Github Action for me. The suggested pull request updates the tag from @v4 to @v4.2.1 or similar.
But tags are said to be risky too [1], because tags can "float." The SHA hash would eventually be out of date.
Wonder how a "supply chain risk expiration" service would recommend the next safest version to upgrade to. Otherwise, it will always be a manual check among multiple vendors. (Or, just pin the version one is happy with.)
The maintainer jackton1's response to this is extremely shady. He tries to prove his innocence by showing that renovate bot changed the author of the malicious commit but I'm betting he's behind the whole thing.
Dependabot has never recommended a SHA hash for a Github Action for me. The suggested pull request updates the tag from @v4 to @v4.2.1 or similar.
But tags are said to be risky too [1], because tags can "float." The SHA hash would eventually be out of date.
Wonder how a "supply chain risk expiration" service would recommend the next safest version to upgrade to. Otherwise, it will always be a manual check among multiple vendors. (Or, just pin the version one is happy with.)
[1] https://docs.github.com/en/actions/security-for-github-actio...
pinning the version is the way to go with at least for now. Github Actions not supporting lockfiles is a huge missing feature